Hello,
i would like to setup two-factor-authentication with yubikey-full-disk-encryption.
At the moment I’m using the disk-encryption which one can choose during the installation process of Manjaro in combination with a separate encrypted home partition on a second hard drive.
This is my partition structure:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1,8T 0 disk
└─sda1 8:1 0 1,8T 0 part
└─sda1_crypt 254:2 0 1,8T 0 crypt /home
nvme0n1 259:0 0 476,9G 0 disk
├─nvme0n1p1 259:1 0 300M 0 part /boot/efi
├─nvme0n1p2 259:2 0 467,8G 0 part
│ └─luks-uid1 254:0 0 467,8G 0 crypt /
└─nvme0n1p3 259:3 0 8,8G 0 part
└─luks-uid2 254:1 0 8,8G 0 crypt [SWAP]
Extract of /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=uid1:luks-uid1 root=/dev/mapper/luks-uid1 resume=/dev/mapper/luks-uid1 apparmor=1 security=apparmor udev.log_priority=3 acpi_backlight=vendor amd_iommu=on"
GRUB_ENABLE_CRYPTODISK=y
What I tried so far:
-
Add new LUKS-key with ykfde-enroll to the root and swap partition
-
Change /etc/ykfde.conf
YKFDE_CHALLENGE_PASSWORD_NEEDED="1" YKFDE_CHALLENGE_SLOT="2" -
Change /etc/mkinitcpio.conf:
HOOKS=(... ykfde encrypt ...) HOOKs
When I started the system after these changes I get the familiar grub prompt to enter my passphrase. After that I get a message from ykfde that the partitions have already been decrypted.
I hope someone knows how I could set it up easily.
Kind regards
) But at the moment I stopped looking into the 2FA-LUKS topic.